How to open ports for a server on the other side of a VPN
03/26/2020 
40 
14428
DESCRIPTION:
Manually opening Ports from Internet to a server behind the remote firewall which is accessible through Site to Site VPN involves the following steps to be done on the local SonicWall.
RESOLUTION:
Step 1: Creating the necessary Address Objects
Step 2: Defining the NAT Policy.
Step 3: Creating the necessary WAN | Zone Access Rules for public access.
The following example covers allowing RDP (Terminal services) from the Internet to a server located in Site B with private IP address as 192.168.1.5. Once the configuration is complete, Internet users can access the server behind Site B SonicWall UTM appliance through the Site A WAN (Public) IP address 1.1.1.3.
Procedure:
Step 1: Creating the necessary Address objects
1. Select Network | Address Objects.
2. Click on Add button and create two address objects one for Server IP on VPN and another for Public IP of the server:
Step 2: Defining the NAT policy.
1. Select Network | NAT Policies.
2. Click the Add a new NAT Policy button and choose the following settings from the drop-down menu:
The VPN tunnel is established between 192.168.20.0/24 and 192.168.1.0/24 networks. To route this traffic through the VPN tunnel, the local SonicWall UTM device should translate the outside public IP address to a unused or its own IP address in LAN subnet as shown in the above NAT policy.
Step 3: Creating Firewall access rules.
1. Click Firewall | Access Rules tab.
2. Select the type of view in the View Style section and go to WAN to VPN access rules.
3. Click Add and create the rule by entering the following into the fields:
Caution: The ability to define network access rules is a very powerful tool. Using custom access rules can disable firewall protection or block all access to the Internet. Use caution when creating or deleting network access rules.
4. Under the Advanced tab, you can leave the “Inactivity Timeout in Minutes” at 15 minutes. Some protocols, such as Telnet, FTP, SSH, VNC and RDP can take advantage of longer timeouts where increased
5: Click OK.
How to Test:
Testing from within the private network: Try to access the server through its private IP address using “Remote Desktop Connection” to ensure it is working from within the private network itself.
Testing from Site A: Try to access the server using “Remote Desktop Connection” from a computer in Site A to ensure it is accessible through the VPN tunnel.
Testing from the Internet: Login to a remote computer on the Internet and try to access the server by entering the public IP 1.1.1.3 using “remote Desktop Connection”.
Troubleshooting:
Ensure that the Server's Default Gateway IP address is Site B SonicWALL's LAN IP address.
Ensure that the server is able to access the computers in Site A.
Make use of Logs and Sonicwall packet capture tools to isolate the problem.
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
